A system lockdown for an operating system of a computer system may be weak lockdown or a strong lockdown. A weak lockdown for has the property that only approved executable computer files are allowed to execute on the system. A strong lockdown has the following properties: (i) only approved executable computer files are allowed to execute on the system, (ii) changes to approved executable computer files are not allowed, and (iii) changes to the base system configuration of the operating system are prevented. The base system configuration includes system-service settings such as a list of drivers that are loaded during system boot. If this list were to be corrupted, then the system could effectively be prevented from booting.
Strong Lockdown
Current computer software vendors prefer to implement weak lockdown over strong lockdown, because strong lockdown prevents applications and system components from being updated using existing methods. This is because approved files and the base system configuration cannot change under strong lockdown policies.
Weak Lockdown
A weak lockdown, on the other hand, allows application updates to occur (since it allows overwriting of all computer files on the system), and then checks if the newly updated executable files are still approved by a global authorization entity (e.g., a global approval server that contains a list of checksums of computer files that are approved by the systems administrator.
While a weak lockdown interferes less with existing application behavior and usage patterns, it also provides a decreased amount of security, since it leaves the system open to the several attacks. For example, a weak lockdown leaves the system vulnerable to a denial of service attack entailing over-writing approved computer software applications running on the system. In addition, a weak lockdown leaves the system vulnerable to a denial of service attack entailing over-writing the base system configuration of the operating system.
Prior Art Systems
One prior art system, in Microsoft Corporation's Windows Vista operating system, is a user account control (UAC) system. The UAC reduces the privilege under which user-programs normally run. The UAC reduces the attack-surface on an operating system's trusted-computing-base by preventing attacks on approved executable computer files and the base system configuration of the system. However, the UAC still lets malicious code to execute (albeit in lower-privilege) and attack the user's data, since Vista does not categorize the modification of a user's data as a high-privilege operation. Thus, with UAC, Vista would allow a malware executable ton run and capture a user's web passwords, or compromise the user's private data.
Referring to FIG. 1, a prior art system includes using a trusted agent to make changes to the approved executable computer files and base system configuration of a computer system. As depicted in FIG. 1, this prior art system includes (1) recording in a sand-boxed environment all the changes a particular application updater or installer would make to the computer file system and registry of the computer system and (2) moving these changes to the strongly locked down system by using a trusted agent at a later time. However, this prior arty system has application and system compatibility issues where the set of changes recorded in a sand-boxed environment may not work properly when placed on target systems. In addition, this prior art system is complex and places an additional preparation burden on the computer infrastructure of the computer system.
Therefore, a method and system of updating an operating system of a computer system, where the operating system is subject to a system lockdown that does not allow changes to a list of approved executables of the operating system and that does not allow changes to a base system configuration of the operating system, is needed.